The Importance of Achieving and Maintaining GDPR Compliance
In 2016, the European Union (EU) passed the General Data Protection Regulation (GDPR). This set of regulatory requirements, which went into effect in May 2018, is designed to help citizens of the EU to regain control over how their personal data is used. At the same time, though, the regulation imposes strict data governance and protection requirements, and imposes draconian consequences for non-compliance.
There are several important things to know about GDPR. First, although GDPR was created by the EU, it doesn’t apply solely to European companies. In fact, any organization that possesses an EU citizen’s personally identifiable data is subject to GDPR, regardless of the organization’s geographic location. As such, all enterprise-class organizations should consider themselves to be subject to the GDPR regulations because it’s highly unlikely that such an organization would not possess data pertaining to at least one EU citizen.
Although it remains to be seen whether or not the EU will be able to enforce GDPR penalties on companies outside of the EU, complying with GDPR is likely to be less expensive than paying the penalties for non-compliance, or challenging the legality of those penalties. Fines for non-compliance can be as high as 20 million euros ($22.5 million USD at today’s exchange rate), or up to 4% of a company’s entire annual revenue! As such, establishing GDPR compliance needs to be among the highest priorities for any affected organization that is not yet compliant.
It’s also worth noting that GDPR does not supersede other regulations to which an organization might be subject. As such, an organization will likely have to contend with overlapping regulatory requirements. Of course, contending with multiple, overlapping regulations isn’t an entirely new problem in the enterprise.
A U.S.-based healthcare company that accepts credit card payments, for example, would be subject to both HIPAA and PCI regulations. Just as neither of these regulations nullify the other, GDPR compliance doesn’t excuse an organization from remaining compliant with other applicable regulations.
As an organization evaluates what’s required in order to achieve and maintain GDPR compliance, it’s important to understand that while many of the other existing regulations focus on keeping data secure, GDPR is more heavily oriented toward maintaining privacy. This isn’t to say that GDPR lacks security-related provisions: certainly, there are requirements within the regulation for keeping data secure.
The greater focus, however, is to maintain the privacy of EU citizens. For example, organizations must be able to prove that any data collected serves a specific purpose, and that no data is collected beyond what is minimally required by that purpose. Additionally, GDPR forbids personal data from being sold, or for being used for purposes other than those for which the data was collected.
The point is that GDPR goes beyond establishing data security requirements, requiring affected organizations to reevaluate all of their data collection and retention practices. This holds true whether or not an organization is storing data on-premises or in the public cloud.
GDPR defines the organization that owns the data as the controller. It defines entities (such as cloud storage providers) that handle data on behalf of the controller as processors. Both the controller and the processor are required to be GDPR-compliant.
By now, GDPR has been around for long enough that most—if not all—of the major cloud storage infrastructure providers are fully aware of the severe penalties associated with GDPR compliance violations. Any storage infrastructure vendor, including storage-as-a-service vendors, should be able to give its customers and/or subscribers more than just a statement of compliance: It should give subscribers peace of mind. This peace of mind comes from knowing that the provider is going the extra mile to protect data against loss, and to keep data private.
When it comes to safeguarding data privacy, encryption is a must. Data needs to be encrypted while in transit, and at rest. Organizations concerned about GDPR compliance should look for a provider that allows it to retain control of the encryption keys, ensuring that the cloud provider can’t access the organization’s private data.
In short, there’s a big difference between knowing that a cloud storage provider is GDPR-compliant and knowing that a provider is actively working to protect your data. When choosing a storage provider, organizations should look beyond generic statements of compliance and focus on the actual protective mechanisms the provider has put into place.
One provider of cloud storage service to put at the top of your list when starting on this journey is ClearSky Data. ClearSky checks all the boxes for data protection and compliance with its approach to security, which plays a critical role in securing a customer’s data in compliance with GDPR. With ClearSky, customer data is always available and stored in multiple locations (without the need for data replication) for resilience. It’s fully GDPR-ready, so you have no fear of massive potential fines.
Click here to learn about ClearSky’s approach to cloud storage-as-a-service at the edge with built-in offsite data protection, and see how easy it is to store, protect, and maintain your GDPR-compliant data.